File name:

089bc72a7f724edd8c6bd6c1d14db1698c93a9087e12315e7a400367ca51a29a.zip

Full analysis: https://app.any.run/tasks/c7be70ee-65eb-4f1d-abe6-6dd84e9c3ab3
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 29, 2025, 20:03:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
pastebin
xworm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

E248C5D9C8AF3A32B54CC297B6E3849F

SHA1:

71FEE4808CA5FEBC97EEA33293BD3A9433118EAE

SHA256:

EF5808D6CEE6483C60F8812AEB28E4BB4D57180E92B50E700050CF0C6BE3BF2D

SSDEEP:

12:5fGuoOE23HDNHXfEYD8hnWanQHi+LCHbbMRTBuKauWDEsLqOHk2ol6E23HDNHXPq:BhHXfEpACbuVbsXEHehHXy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4628)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2504)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 2504)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2904)

    • Application was injected by another process

      • lsass.exe (PID: 756)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2536)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 3084)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3104)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 3232)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 4508)
      • dllhost.exe (PID: 5880)
      • svchost.exe (PID: 1572)
      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 6024)
      • dwm.exe (PID: 6568)
      • uhssvc.exe (PID: 648)
      • sihost.exe (PID: 4984)
      • svchost.exe (PID: 4544)
      • svchost.exe (PID: 1684)
      • svchost.exe (PID: 4952)
      • ApplicationFrameHost.exe (PID: 6952)
      • ctfmon.exe (PID: 956)
      • RuntimeBroker.exe (PID: 5368)
      • audiodg.exe (PID: 6168)
      • RuntimeBroker.exe (PID: 1036)
      • RuntimeBroker.exe (PID: 2652)
      • svchost.exe (PID: 4348)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 4916)
      • svchost.exe (PID: 6544)
      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 6608)
      • RuntimeBroker.exe (PID: 6160)
      • dllhost.exe (PID: 6896)
      • explorer.exe (PID: 5492)
      • UserOOBEBroker.exe (PID: 1248)
      • svchost.exe (PID: 6248)
      • svchost.exe (PID: 6192)
      • svchost.exe (PID: 4740)
      • WmiPrvSE.exe (PID: 1568)
      • svchost.exe (PID: 5020)
      • svchost.exe (PID: 6388)
      • RuntimeBroker.exe (PID: 7128)
      • svchost.exe (PID: 2320)
      • consent.exe (PID: 6800)

    • Uses Task Scheduler to autorun other applications

      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)

    • Runs injected code in another process

      • u3yzbs5c.mhg.exe (PID: 6572)
      • ao3tjvrd.sq5.exe (PID: 1180)
      • 3ulzhle4.avh.exe (PID: 6980)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 1696)

    • Uses Task Scheduler to run other applications

      • svchost.exe (PID: 1696)

    • Create files in the Startup directory

      • svchost.exe (PID: 1696)

    • XWORM has been detected (YARA)

      • svchost.exe (PID: 1696)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • explorer.exe (PID: 5492)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 5492)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 2320)

    • Starts process via Powershell

      • powershell.exe (PID: 2904)

    • Application launched itself

      • powershell.exe (PID: 2504)

    • Manipulates environment variables

      • powershell.exe (PID: 2904)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2504)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 2504)
      • cmd.exe (PID: 2320)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2320)
      • powershell.exe (PID: 2504)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 2504)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 2904)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2904)
      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)
      • Update.exe (PID: 6676)

    • Reads Microsoft Outlook installation path

      • powershell.exe (PID: 2904)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 2904)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 2904)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 2904)

    • Reads the date of Windows installation

      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)

    • Adds/modifies Windows certificates

      • lsass.exe (PID: 756)

    • Connects to unusual port

      • svchost.exe (PID: 1696)

    • The process executes via Task Scheduler

      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)
      • Update.exe (PID: 6676)

  • INFO

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6480)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 2904)
      • Taskmgr.exe (PID: 516)

    • Manual execution by a user

      • cmd.exe (PID: 2320)
      • notepad.exe (PID: 6480)
      • Taskmgr.exe (PID: 6036)
      • Taskmgr.exe (PID: 516)

    • Reads the time zone

      • MoUsoCoreWorker.exe (PID: 5496)
      • WmiPrvSE.exe (PID: 1568)

    • Disables trace logs

      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 2904)
      • svchost.exe (PID: 1696)

    • Checks proxy server information

      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 2904)
      • svchost.exe (PID: 1696)
      • slui.exe (PID: 5164)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2504)

    • Reads the software policy settings

      • lsass.exe (PID: 756)
      • powershell.exe (PID: 2904)
      • slui.exe (PID: 4980)
      • svchost.exe (PID: 1696)
      • consent.exe (PID: 6800)
      • slui.exe (PID: 5164)

    • Create files in a temporary directory

      • powershell.exe (PID: 2904)
      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)

    • Reads the computer name

      • svchost.exe (PID: 1696)
      • u3yzbs5c.mhg.exe (PID: 6572)
      • Update.exe (PID: 716)
      • ao3tjvrd.sq5.exe (PID: 1180)
      • Update.exe (PID: 7012)
      • 3ulzhle4.avh.exe (PID: 6980)

    • Checks supported languages

      • svchost.exe (PID: 1696)
      • u3yzbs5c.mhg.exe (PID: 6572)
      • uhssvc.exe (PID: 648)
      • ao3tjvrd.sq5.exe (PID: 1180)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)
      • 3ulzhle4.avh.exe (PID: 6980)

    • Creates files or folders in the user directory

      • powershell.exe (PID: 2904)
      • svchost.exe (PID: 1696)
      • explorer.exe (PID: 5492)

    • Process checks computer location settings

      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)

    • Reads the machine GUID from the registry

      • svchost.exe (PID: 1696)
      • Update.exe (PID: 716)
      • Update.exe (PID: 7012)

    • Reads Environment values

      • svchost.exe (PID: 1696)

    • Launch of the file from Startup directory

      • svchost.exe (PID: 1696)

    • Launch of the file from Registry key

      • svchost.exe (PID: 1696)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • Update.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2025:05:29 20:03:08
ZipCRC: 0x224bd561
ZipCompressedSize: 262
ZipUncompressedSize: 360
ZipFileName: 089bc72a7f724edd8c6bd6c1d14db1698c93a9087e12315e7a400367ca51a29a.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
128
Malicious processes
93
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs certutil.exe no specs powershell.exe wmiprvse.exe powershell.exe svchost.exe no specs #XWORM svchost.exe u3yzbs5c.mhg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe slui.exe update.exe ao3tjvrd.sq5.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs taskmgr.exe no specs consent.exe taskmgr.exe update.exe 3ulzhle4.avh.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs update.exe ai3ns0vc.leh.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe runtimebroker.exe explorer.exe mousocoreworker.exe dllhost.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe runtimebroker.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
516"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
716"C:\Users\admin\AppData\Roaming\Update.exe"C:\Users\admin\AppData\Roaming\Update.exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
780"SCHTASKS.exe" /create /tn "MasonUpdate.exe" /tr "'C:\Users\admin\AppData\Roaming\Update.exe'" /sc onlogon /rl HIGHESTC:\Windows\System32\schtasks.exeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1036C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1044C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
80 725
Read events
79 734
Write events
605
Delete events
386

Modification events

(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:MinTimeBetweenCallsWhenThrottledInSeconds
Value:
300
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:CostedConnectionInterval
Value:
20160
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:TargetingAttributes
Value:
{"Version":411,"SchemaVersion":1,"PartA":["App","AppVer","AttrDataVer"],"Default":["DeviceFamily","f:FlightRing","t:OSVersionFull"],"PartB":{"ACSOVERRIDE":["OSArchitecture","c:IsAlwaysOnAlwaysConnectedCapable"],"APPTARGETEDFEATUREDB":["c:FlightingBranchName","f:FlightRing","t:OSVersionFull","DeviceFamily"],"CASSCLIENT":["OSVersion","c:OSEdition","f:FlightRing","c:OSUILocale","f:FlightingBranchName","r:OEMMode"],"CDM":["ChassisTypeId","r:CurrentBranch","DeviceFamily","f:FlightingBranchName","f:FlightRing","c:InstallLanguage","c:IsDomainJoined","t:IsTestLab","OEMModel","OSArchitecture","OSVersion","t:OSSkuId","c:ProcessorIdentifier","c:TelemetryLevel","t:IsMsftOwned","t:WCOSProductId","c:OSUILocale","c:CommercialId","c:ActivationChannel","c:SCCMClientId","c:IsCloudDomainJoined","r:WebExperience","c:FlightIds","AccountFirstChar","r:WSX_Windows_Settings_Account","r:InstallDate","r:WSX_Runtime","r:DefaultUserRegion","a:GatedFeature_NI22H2","r:WSX_Windows_Shell_Start","a:GatedFeature_CU23H2","r:ExpStates","r:CIOptin","c:ProcessorCores","c:TotalPhysicalRAM","r:TestRN","u:UpdateServiceUrl","u:WUfBClientManaged","r:UUSVersion","DL_OSVersion","r:ExpPkgs","u:AllowOptionalContent","n:IsMicrosoftAAD","q:WidgetsAppVer","c:IsDeviceRetailDemo","r:IsFSOverlay","a:SdbVer_NI22H2","r:EdgeStableVersion","r:Migrated_GatedFeature_NI22H2Setup","a:SdbVer_21H2","a:GatedFeature_21H2","r:UtcDataHandlingPolicies","v:SkypeRoomSystem","r:BypassNRO","c:IsVirtualDevice","s:IsA9CapablePC","a:SdbVer_GE24H2"],"CDM_OS":["+CDM","c:FlightIds"],"COMPATLOGGER":["osVer","ring","deviceId"],"CONTENT_DELIVERY_MANAGER":["c:OSEdition","t:OSSkuId","c:OSUILocale","a:UpgEx_CO21H2","a:GStatus_CO21H2","a:DataExpDateEpoch_CO21H2","a:TimestampEpochString_CO21H2","r:AndroidUserOptinValue","f:FlightingBranchName","f:FlightRing","r:CurrentBranch","procm","r:NPUEnabledDevice","MX_FlightIds","r:KnownFoldersBackupStatus","c:IsDomainJoined","iepe","iste","drgng","r:WindowsAccountSyncConsentState","r:WindowsAccountSyncConsentApplicable","r:WindowsAccountSyncConsentPromptAllowed","aipc","ram","prccn","prccs","prcmf","ccr","devfm","W10ESU"],"CORTANA_GATEKEEPER":["r:CurrentBranch","f:FlightRing","f:IsRetailOS"],"CORTANAUWP":["c:OSUILocale","t:OSVersionFull","v:CortanaAppVer","r:TestAllowedIDFlags"],"CORTANAUWPTEST":["+CORTANAUWP","v:CortanaAppVerTest"],"CTAC":["+FSS","r:FIDTSRan"],"DBUPDATE":["c:FirmwareVersion","c:OEMModelBaseBoard","OSArchitecture","c:FirmwareManufacturer","c:OEMModelNumber","r:BaseBoardManufacturer","c:OEMModelSKU","c:OEMManufacturerName","c:OEMName","c:OEMModelBaseBoardVersion","c:OEMModelSystemFamily","c:OEMModelSystemVersion","c:FirmwareReleaseDate"],"DDC":["+WU_STORE","+_WU_PTI"],"DXDB":["DeviceFamily","f:FlightRing","r:IsHybridOrXGpu","t:OSVersionFull","OSVersion"],"EDGE_SERVICEUI":["t:LocalDeviceID","t:LocalUserID"],"FCON":["+CDM"],"FSS":["r:PreviewBuildsManagerEnabled","f:BranchReadinessLevelRaw","u:BranchReadinessLevelSource","r:BuildFID","t:DeviceFamily","DeviceId","c:EnablePreviewBuilds","f:FlightingPolicyValue","f:IsRetailOS","f:ManagePreviewBuilds","OSVersionFull","t:WCOSProductId","r:SmartActiveHoursState","r:ActiveHoursStart","r:ActiveHoursEnd","r:IsCHCapableBuild","r:FSRing","s:MaxShellVersion","s:MinShellVersion","c:TPMVersion","c:SecureBootCapable","c:ProcessorClockSpeed","c:ProcessorCores","c:TotalPhysicalRAM","t:SMode","c:SystemVolumeTotalCapacity","c:OEMManufacturerName","c:OEMModelNumber","a:ISVM","r:AllowUpgradesWithUnsupportedTPMOrCPU","r:IntelPlatformId","r:IsConfigMgrEnabled","f:IsFlightingEnabled","r:DeviceInfoGatherSuccessful","c:IsVirtualDevice","r:OemPartnerRing","c:FlightingBranchName","a:UpgEx_CO21H2","a:UpgEx_NI22H2","a:UpgEx_GE24H2","sku","r:AADTenantId","r:FIDTSRan"],"FXIRISCLIENT":["+IRISCLIENT"],"GS":["t:OSSkuId","t:OSVersionFull","r:CurrentBranch","r:DefaultUserRegion","DeviceFamily","c:FlightIds","f:FlightingBranchName","f:FlightRing","c:IsCloudDomainJoined","t:IsMsftOwned","f:IsRetailOS","c:OSUILocale","c:IsDomainJoined"],"IDSPCA":["f:FlightRing","f:IsFlightingEnabled","f:FlightingBranchName","f:IsRetailOS","c:OSEdition","c:IsDomainJoined","c:OSUILocale","n:IsMicrosoftAAD","r:CurrentBranch","t:IsMsftOwned","t:IsTestLab","t:DeviceFamily","t:LocalDeviceID","t:OSSkuId","t:OSVersionFull","IsVM","OEMModel","OSVersion","r:EnableCloudManagedIDS","c:AADDeviceId"],"IRISCLIENT":["+IRISCLIENTBASE","c:FlightIds"],"IRISCLIENTBASE":["DeviceFamily","OSVersion","t:OSSkuId","OSArchitecture","c:TelemetryLevel","f:FlightRing","f:FlightingBranchName","OEMModel","c:OSUILocale","c:OSEdition","r:CurrentBranch","t:WCOSProductId","c:InstallationType","r:InstallDate","c:IsDeviceRetailDemo","f:IsRetailOS","prccs","prccn","prcmf","ram","c:D3DMaxFeatureLevel","c:IsAlwaysOnAlwaysConnectedCapable","t:SMode","t:LocalUserID","r:AndroidUserOptinValue","procm","MX_FlightIds","a:UpgEx_CO21H2","r:KnownFoldersBackupStatus","c:OEMModelSystemFamily","OEMName_Uncleaned","r:IsSpotlightEnabledInOEMTheme","r:IsSpotlightThemeEnabledByOEM","r:WindowsAccountSyncConsentApplicable","r:WindowsAccountSyncConsentState","r:WindowsAccountSyncConsentPromptAllowed","iepe","iste","drgng","aipc","oemname","smbiosdm","ccr","devfm","W10ESU"],"IRISCLIENTV2":["+IRISCLIENTBASE","IX_FlightIds"],"MICROSOFT.WINDOWSFEEDBACKHUB_8WEKYB3D8BBWE":["t:OSVersionFull","t:IsTestLab","f:FlightRing"],"MITIGATION":["t:DeviceFamily","f:FlightRing","c:IsDomainJoined","t:IsMsftOwned","f:IsRetailOS","t:IsTestLab","IsVM","OEMModel","c:OSEdition","t:OSSkuId","t:OSVersionFull","c:OSUILocale","t:SMode","f:IsFlightingEnabled","c:FirmwareVersion","c:TelemetryLevel","f:FlightingBranchName","r:CurrentBranch","OSVersion","w:FirstStorageSpaceDeviceId","r:IsCldFltSyncRoots","c:OSInstallType","v:IsNotepadExePresent","r:StrictHiveSecurityReg","a:GatedBlockId_21H1","r:UpdateOfferedDays","r:UsoScanMitigation","r:GamingServicesInstalledKey","v:FileExistsMscoreeDll","w:NetFx3State","r:WCFHTTPActivationNotificationState","w:WCFHTTPActivationState","r:WCFNonHTTPActivationNotificationState","w:WCFNonHTTPActivationState","r:DotNetMissingComponentsTroubleshooterSuccess","r:IIS_ASPNET","w:IIS_ASPNET_WMI","r:IIS_NetFxExtensibility","w:IIS_NetFxExtensibility_WMI","r:WAS_NetFxEnvironment","w:WAS_NetFxEnvironment_WMI","v:XamlCbsActivationStore","v:XamlCbsActivationStoreArm64","v:OnnxruntimeVer","w:ElanFingerprintDriverVersion","r:AADBrokerPluginNotRegistered","r:TenantId","r:IppPrinterBadDefaultPdc","r:FlightingOptOutState","r:CloudFilesFilter","r:PSAKyoceraMissingDEH","r:PSATATriumphMissingDEH","r:PSAXeroxMissingDEH","w:PSAKyoceraInstalledName","w:PSATATriumphInstalledName","w:XeroxPsaInstalledName","v:DmdHpControlPackageEnUs","v:DmdHpControlPackageMultiloc","v:DmdHpControlPackageTr","v:WASDK_1_2_ARM","v:WASDK_1_2_ARM64","v:WASDK_1_2_DLL","v:WASDK_1_2_X86","r:FIDTSRan"],"MLMOD":["ChassisTypeId","t:DeviceFamily","f:FlightingBranchName","f:FlightRing","f:IsRetailOS","t:OSSkuId","t:OSVersionFull","c:OSUILocale","OSVersion","c:TelemetryLevel","r:CurrentBranch","t:IsTestLab","c:PrimaryDiskType","FX_FlightIds"],"MTP":["+_WU_OS_CORE"],"MUSE":["+_WU_FB","ChassisTypeId","deviceClass","deviceId","c:FlightIds","locale","ms","os","osVer","ring","sampleId","sku","r:DaysSince19H1FUOffer","u:DisableDualScan","u:UpdateServiceUrl","c:CommercialId","f:FlightingBranchName","c:SystemVolumeTotalCapacity","c:IsAlwaysOnAlwaysConnectedCapable","c:ProcessorCores","c:PrimaryDiskType","c:TotalPhysicalRAM","c:ProcessorClockSpeed","c:ProcessorIdentifier","c:ProcessorModel","c:ActivationChannel","c:IsCloudDomainJoined","c:isCommercial","c:IsDomainJoined","c:IsMDMEnrolled","c:SCCMClientID","r:OEMSubModel","c:OEMModelNumber","c:OEMManufacturerName","r:OobeSeeker","r:DefaultUserRegion","c:DeviceForm"],"NARRATORNNV":["+WU_STORE"],"NOISYHAMMER":["+WU_OS"],"OPENWITH":["c:OSUILocale"],"PHS":["r:GridZoneName","OEMModel","c:OEMManufacturerName","c:OSUILocale","r:OEMSubModel","DeviceFamily"],"RULESENGINE":["c:OSEdition","t:OSSkuId","c:OSUILocale","a:UpgEx_CO21H2","a:GStatus_CO21H2","a:DataExpDateEpoch_CO21H2","a:TimestampEpochString_CO21H2","r:AndroidUserOptinValue","f:FlightingBranchName","f:FlightRing","r:CurrentBranch","c:ProcessorModel","r:NPUEnabledDevice","MX_FlightIds","r:KnownFoldersBackupStatus","c:IsDomainJoined","r:WindowsAccountSyncConsentApplicable","r:WindowsAccountSyncConsentState","r:WindowsAccountSyncConsentPromptAllowed","c:FlightIds","c:isCommercial","c:CommercialId","c:SCCMClientID"],"RUXIM":["c:ActivationChannel","f:FlightRing","r:InstallDate","f:IsFlightingEnabled","a:ISVM","OEMModel","OSArchitecture","t:OSSkuId","c:SCCMClientID","r:SetupDisplayedEulaVersion","r:KioskMode","r:OobeSeeker","r:UninstallActive","c:OEMManufacturerName","r:OEMSubModel","c:OSUILocale","f:FlightingBranchName"],"SEDIMENTPACK":["+WU_OS"],"SERVICEEXPERIENCES":["f:FlightingBranchName","f:FlightRing","s:MaxShellVersion","s:MinShellVersion","t:IsTestLab","c:TelemetryLevel","t:OSSkuId","r:CurrentBranch","OSVersion","DeviceFamily","r:WSX_Windows_Settings_Account","c:FlightIds","r:WSX_Runtime","r:WSX_Windows_Shell_Start","r:WSX_Windows_AppSample","r:WSX_Windows_AccountControl"],"SERVICING_CBS":["+WU","osVer"],"SETUP360":["t:OSSkuId","f:FlightRing"],"SMARTOPTOUT":["+CDM"],"STORAGEGROVELER":["a:Free","c:TelemetryLevel","f:FlightRing","f:IsFlightingEnabled","IsVM","t:OSVersionFull"],"UCPD":["c:OSUILocale","c:IsDomainJoined","v:UCPDVer","c:IsCloudDomainJoined","t:OSSkuId","c:isCommercial"],"UNEXPECTEDCODEPATHLOGGING":["+UTC_STATIC","t:LocalDeviceID","OSVersionFull","OEMModel","OEMName_Uncleaned"],"UTC":["+UTC_STATIC","osVer","locale","ring","f:PilotRing","f:IsRetailOS","ms","expId","t:SMode","f:FlightingBranchName","c:CommercialId","r:IsFeedbackHubSelfhost","c:AzureVMType","t:IsTestLab","c:TelemetryLevel","c:IsVirtualDevice","r:IsProcessorMode","r:UtcDataHandlingPolicies","s:IsA9CapablePC"],"UTC_STATIC":["os","deviceId","sampleId","deviceClass","sku","OEMModel","OEMName_Uncleaned","c:PrimaryDiskType","c:ProcessorModel","c:TotalPhysicalRAM"],"UUS":["OSVersion","f:FlightRing","t:IsTestLab","t:OSVersionFull","f:FlightingBranchName","r:CurrentBranch","f:IsFlightingEnabled"],"WAASASSESSMENT":["+WU_OS"],"WAASMEDIC":["os","osVer","ring","deviceClass","deviceId","locale","sku","c:ActivationChannel","c:CommercialId","r:CurrentBranch","f:FlightingBranchName","c:IsCloudDomainJoined","c:IsDomainJoined","t:IsTestLab","OSVersion","c:SCCMClientID","c:TelemetryLevel","r:FlightingOptOutState"],"WOSC":["t:DeviceFamily","f:FlightRing","f:IsFlightingEnabled","t:IsMsftOwned","t:LocalDeviceID","t:OSSkuId","c:OSUILocale","t:OSVersionFull","c:TelemetryLevel","r:IsHybridOrXGpu","r:PlayFabPartyRelay","OSVersion","n:IsMicrosoftAAD","r:WOSCEndpointsSupported","r:FIDTSRan"],"WPSHIFT":["+MTP"],"WU":["+WU_OS","r:DUInternal"],"_WU_AV":["r:AvastReg","r:AvastBlackScreen","v:AvastVer","r:AvgReg","v:AvgVer","r:EsetReg","v:EsetVer","r:KasperskyReg","v:KasperskyVer","v:SymantecVer","r:TencentReg","r:TencentType","r:AhnlabInstalledKey","r:AvastInstalledKey","r:AVGInstalledKey","r:AviraInstalledKey","r:BullguardInstalledKey","r:ESETInstalledKey","r:ESTSecurityInstalledKey","r:FSecureInstalledKey","v:GDataInstalledVer","r:K7InstalledKey","r:KasperskyInstalledKey","r:KingsoftInstalledKey","r:LenovoInstalledKey","r:MalwarebytesInstalledKey","r:McAfeeInstalledKey","r:PandaInstalledKey","r:QuickhealInstalledKey1","r:SophosInstalledKey1","r:SymantecInstalledKey","r:TencentInstalledKey","r:ThreatTrackInstalledKey","r:TrendInstalledKey","r:WebrootInstalledKey","v:K7InstalledVer"],"_WU_COMMON":["r:CurrentBranch","r:DefaultUserRegion","DeviceFamily","r:DriverPartnerRing","r:FlightContent","f:FlightingBranchName","f:FlightRing","HoloLens","c:InstallationType","c:InstallLanguage","f:IsFlightingEnabled","r:IsFlightingEnabled","c:MobileOperatorCommercialized","OEMModel","OEMName_Uncleaned","r:OemPartnerRing","OSArchitecture","OSVersion","t:OSSkuId","c:OSUILocale","c:ProcessorManufacturer","r:ReleaseType","v:SkypeRoomSystem","t:SMode","c:TelemetryLevel","r:WindowsMixedReality","v:WuClientVer","p:DucPublisherId","p:DucDeviceModelId","p:DucOemPartnerRing","p:DucCustomPackageId","p:DesiredOsVersion","p:DesiredSystemManifestVersion","r:TenantId"],"_WU_FB":["u:BranchReadinessLevel","u:DeferQualityUpdatePeriodInDays","u:DeferFeatureUpdatePeriodInDays","r:PausedFeatureStatus","r:PausedQualityStatus","u:TargetReleaseVersion","r:QUDeadline","r:UpdatePreference","r:UpdateOfferedDays","u:TargetProductVersion","DSS_Enrolled","r:NonSecurityUpdate","u:AdminOptedIntoRebootlessUpdates"],"WU_OS":["+_WU_OS_CORE","+_WU_FB"],"_WU_OS_CORE":["+_WU_COMMON","+_WU_AV","r:AhnLabKeyboard","a:Bios","r:BlockFeatureUpdates","c:CommercialId","a:DataVer_RS5","r:DisconnectedStandby","r:DchuNvidiaGrfxExists","r:DchuNvidiaGrfxVen","r:DchuIntelGrfxExists","r:DchuIntelGrfxVen","r:DchuAmdGrfxExists","r:DchuAmdGrfxVen","c:FirmwareVersion","a:Free","a:GStatus_RS3","a:GStatus_RS4","a:GStatus_RS5","r:HidOverGattReg","r:InstallDate","c:IsDeviceRetailDemo","c:IsPortableOperatingSystem","IsVM","c:OEMModelBaseBoard","r:OobeSeeker","r:OSRollbackBuild","r:OSRollbackCount","r:OSRollbackDate","PhoneTargetingName","r:PonchAllow","r:PonchBlock","c:ProcessorIdentifier","r:RecoveredFromBuild","r:RecoveredOnDate","r:Steam","v:TobiiVer","v:TrendMicroVer","r:UninstallActive","l:UpdateManagementGroup","a:UpgEx_RS3","a:UpgEx_RS4","a:UpgEx_RS5","a:Version_RS5","r:DisableWUfBOfferBlock","a:UpgEx_19H1","a:SdbVer_19H1","a:GStatus_19H1","a:GStatus_19H1Setup","a:TimestampEpochString_19H1Setup","a:GenTelRunTimestamp_19H1","a:DataExpDateEpoch_19H1","u:EnableWUfBUpgradeGates","r:GStatusBlockIDs_All","TimestampDelta_19H1Subtract19H1Setup","DataExpDateDelta_19H1Subtract19H1Setup","a:DataExpDateEpoch_19H1Setup","a:TimestampEpochString_19H1","r:IsContainerMgrInstalled","r:IsWDAGEnabled","r:MTPTargetingInfo","r:EKB19H2InstallCount","r:EKB19H2UnInstallCount","r:EKB19H2InstallTimeEpoch","r:EKB19H2UnInstallTimeEpoch","r:BlockEdgeWithChromiumUpdate","r:IsWDATPEnabled","r:IsAutopilotRegistered","r:EdgeWithChromiumInstallVersion","r:EdgeWithChromiumInstallFailureCount","r:IsEdgeWithChromiumInstalled","r:KioskMode","c:IsCloudDomainJoined","c:IsDomainJoined","a:DataExpDateEpoch_20H1","a:DataExpDateEpoch_20H1Setup","a:GStatus_20H1","a:GStatus_20H1Setup","a:SdbVer_20H1","a:TimestampEpochString_20H1","a:TimestampEpochString_20H1Setup","DataExpDateDelta_20H1Subtract20H1Setup","TimestampDelta_20H1Subtract20H1Setup","a:UpgEx_20H1","r:AutopilotUpdateInProgress","r:UHSEnrolled","r:HotPatchEKBInstalled","r:LCUVer","c:isCommercial","c:ActivationChannel","c:IsMDMEnrolled","c:SCCMClientID","r:ChinaTypeApproval_CTA","p:DesiredOcpVersion","r:UpgradeEligible","r:AllowInPlaceUpgrade","r:SH_SIPolicyCleanup","r:FeatureUpdateDeadline","a:DataExpDateEpoch_21H1","a:UpgEx_CO21H2","a:GStatus_21H1","DataExpDateDelta_21H1Subtract20H1Setup","TimestampDelta_21H1Subtract20H1Setup","a:TimestampEpochString_21H1","r:OEMSubModel","c:ProcessorModel","c:TPMVersion","r:StayOnWindows10Timestamp","a:GStatus_CO21H2Setup","TimestampDelta_CO21H2SubtractCO21H2Setup","DataExpDateDelta_CO21H2SubtractCO21H2Setup","a:TimestampEpochString_CO21H2Setup","a:DataExpDateEpoch_CO21H2Setup","a:TimestampEpochString_CO21H2","a:DataExpDateEpoch_CO21H2","a:GStatus_CO21H2","p:SetPolicyDrivenUpdateSourceForFeatureUpdates","r:DchuNvidiaGrfxVenTest","a:DataExpDateDelta_21H2Subtract20H1Setup","a:TimestampEpochString_21H2","a:TimestampDelta_21H2Subtract20H1Setup","a:GStatus_21H2","a:DataExpDateEpoch_21H2","r:DSS_Enrolled_DF","r:UpgradeAccepted","r:SetupDisplayedEulaVersion","c:ProcessorCores","c:ProcessorClockSpeed","c:TotalPhysicalRAM","c:SecureBootCapable","c:PrimaryDiskTotalCapacity","r:BitDefenderInstalledKey","r:BroadcomInstalledKey","v:CrowdStrikeInstalledVer","r:QihooInstalledKey","r:Win11UpgradeAcceptedTimestamp","a:UpgEx_NI22H2","r:OobeNdupAcceptedTarget","r:OobeNdupFU22621CommitChoice","a:DataExpDateEpoch_NI22H2","a:GStatus_NI22H2","a:GStatus_NI22H2Setup","a:TimestampEpochString_NI22H2Setup","TimestampDelta_NI22H2SubtractNI22H2Setup","DataExpDateDelta_NI22H2SubtractNI22H2Setup","a:DataExpDateEpoch_NI22H2Setup","a:TimestampEpochString_NI22H2","r:IsVbsEnabled","r:FODRetryPending","r:UserInPlaceUpgrade","v:HidparseDriversVer","v:HidparseSystem32Ver","v:HidparseSystem32Ver1","r:CIOptin","r:FlightingOptOutState","p:WSUSconfigured_csp","a:UpgEx_NI22H2Setup","a:UpgEx_CO21H2Setup","u:WUfBClientManaged","u:UpdateServiceUrl","u:AllowOptionalContent","FX_FlightIds","DL_OSVersion","r:ExpPkgs","r:UUSVersion","MX_FlightIds","r:OobeNdupFUTarget","a:GStatus_NI23H2","a:DataExpDateEpoch_NI23H2","a:TimestampEpochString_NI23H2","DataExpDateDelta_NI23H2SubtractNI22H2Setup","TimestampDelta_NI23H2SubtractNI22H2Setup","r:LaunchUserOOBE","r:RobloxPlayer","r:RobloxStudio","c:VBSState","r:ARCHotpatchAttached_State","r:MDEWSLPluginReleaseRing","r:SystemGuard_Enabled","u:AdminOptedIntoRebootlessUpdates","r:LaunchOobeInEndUserSession","r:MDE4WSLPluginReleaseRing","r:AdminOptedIntoRebootlessUpdates_Server","r:IsRemoteDesktopSessionHost","a:UpgEx_GE24H2","s:IsA9CapablePC","a:UpgEx_GE24H2Setup","r:ProductType","a:DataExpDateEpoch_GE24H2","DataExpDateDelta_GE24H2SubtractGE24H2Setup","a:DataExpDateEpoch_GE24H2Setup","a:GStatus_GE24H2","a:GStatus_GE24H2Setup","a:TimestampEpochString_GE24H2","TimestampDelta_GE24H2SubtractGE24H2Setup","a:TimestampEpochString_GE24H2Setup","q:AIFabricCBSStableVer","c:IsVirtualDevice","a:SdbVer_GE24H2","r:HotpatchError","r:CHPE_Disabled","r:MSRT_NO_AU","r:ClientHash2","r:NPU_DeviceId"],"_WU_PTI":["c:FrontFacingCameraResolution","c:RearFacingCameraResolution","c:TotalPhysicalRAM","c:NFCProximity","c:Magnetometer","c:Gyroscope","c:D3DMaxFeatureLevel","c:InternalPrimaryDisplayResolutionHorizontal","c:InternalPrimaryDisplayResolutionVetical"],"WU_STORE":["+_WU_COMMON","r:AppChannels","r:AppRMIDs","u:BranchReadinessLevel"]},"Required":["App","AppVer","AttrDataVer"],"Aliases":{"AccountFirstChar":"c:MSA_Accounts","aipc":"s:IsA9CapablePC","ccr":"r:ChargeCapacityRatio","ChassisTypeId":"c:ChassisType","CX_FlightIds":"c:CX_FlightIds","DataExpDateDelta_19H1Subtract19H1Setup":"a:DataExpDateEpoch_19H1_Subtract_DataExpDateEpoch_19H1Setup","DataExpDateDelta_20H1Subtract20H1Setup":"a:DataExpDateEpoch_20H1_Subtract_DataExpDateEpoch_20H1Setup","DataExpDateDelta_21H1Subtract20H1Setup":"a:DataExpDateEpoch_21H1_Subtract_DataExpDateEpoch_20H1Setup","DataExpDateDelta_CO21H2SubtractCO21H2Setup":"a:DataExpDateEpoch_CO21H2_Subtract_DataExpDateEpoch_CO21H2Setup","DataExpDateDelta_GE24H2SubtractGE24H2Setup":"a:DataExpDateEpoch_GE24H2_Subtract_DataExpDateEpoch_GE24H2Setup","DataExpDateDelta_NI22H2SubtractNI22H2Setup":"a:DataExpDateEpoch_NI22H2_Subtract_DataExpDateEpoch_NI22H2Setup","DataExpDateDelta_NI23H2SubtractNI22H2Setup":"a:DataExpDateEpoch_NI23H2_Subtract_DataExpDateEpoch_NI22H2Setup","devfm":"c:DeviceForm","deviceClass":"DeviceFamily","deviceId":"t:LocalDeviceID","DeviceId":"t:LocalDeviceID","DL_OSVersion2":"DL_OSVersion","drgng":"r:DurableDeviceRegionGeo","DSS_Enrolled":"r:DSS_Enrolled_State","EdgeStableVersion":"r:EdgeStableVersion","expId":"c:FlightIds","FlightRing":"f:FlightRing","FX_FlightIds":"c:FlightIds","iepe":"g:IsCampaignEdgePromotionEnabled","iste":"g:IsCampaignSegmentTargetingEnabled","IsVM":"a:ISVM","IX_FlightIds":"c:FlightIds","locale":"c:OSUILocale","ms":"t:IsMsftOwned","MX_FlightIds":"c:FlightIds","OEMModel":"c:OEMModelNumber","oemname":"r:SystemManufacturer","OEMName_Uncleaned":"c:OEMManufacturerName","osVer":"t:OSVersionFull","OSVersionFull":"t:OSVersionFull","PhoneTargetingName":"c:OEMModelName","prccn":"c:ProcessorCores","prccs":"c:ProcessorClockSpeed","prcmf":"c:ProcessorManufacturer","procm":"c:ProcessorModel","ram":"c:TotalPhysicalRAM","ring":"f:FlightRing","sampleId":"t:PopVal","sku":"t:OSSkuId","smbiosdm":"r:SystemProductName","TimestampDelta_19H1Subtract19H1Setup":"a:TimestampEpochString_19H1_Subtract_TimestampEpochString_19H1Setup","TimestampDelta_20H1Subtract20H1Setup":"a:TimestampEpochString_20H1_Subtract_TimestampEpochString_20H1Setup","TimestampDelta_21H1Subtract20H1Setup":"a:TimestampEpochString_21H1_Subtract_TimestampEpochString_20H1Setup","TimestampDelta_CO21H2SubtractCO21H2Setup":"a:TimestampEpochString_CO21H2_Subtract_TimestampEpochString_CO21H2Setup","TimestampDelta_GE24H2SubtractGE24H2Setup":"a:TimestampEpochString_GE24H2_Subtract_TimestampEpochString_GE24H2Setup","TimestampDelta_NI22H2SubtractNI22H2Setup":"a:TimestampEpochString_NI22H2_Subtract_TimestampEpochString_NI22H2Setup","TimestampDelta_NI23H2SubtractNI22H2Setup":"a:TimestampEpochString_NI23H2_Subtract_TimestampEpochString_NI22H2Setup","W10ESU":"r:Win10ConsumerESUStatus"},"Fallback":{"r:AhnlabInstalledKey":"r:AhnlabInstalledWowKey","r:AvastBlackScreen":"r:AvgBlackScreen","r:AvastInstalledKey":"r:AvastInstalledWowKey","r:AVGInstalledKey":"r:AVGInstalledWowKey","r:AviraInstalledKey":"r:AviraInstalledWowKey","a:Bios":"a:Bios_RS3","a:Bios_RS3":"a:Bios_RS4","a:Bios_RS4":"a:Bios_RS5","r:BlockFeatureUpdates":"r:BlockWUUpgrades","r:BlockWUUpgrades":"r:BlockWUUpgradesWow","r:BuildFID":"r:BuildFID_WCOS","r:BuildFID_WCOS":"r:BuildFID_WCOS2","r:BullguardInstalledKey":"v:BullguardInstalledVer","a:DataExpDateEpoch_CO21H2":"r:DataExpDateEpoch_CO21H2RegFb","r:DchuAmdGrfxVen":"r:DchuAmdGrfxVen2","r:DchuAmdGrfxVen2":"r:DchuAmdGrfxDeletePending","r:DchuIntelGrfxDeletePending":"r:DchuIntelGrfxNExists","r:DchuIntelGrfxVen":"r:DchuIntelGrfxVen2","r:DchuIntelGrfxVen2":"r:DchuIntelGrfxDeletePending","r:DchuNvidiaGrfxVen":"r:DchuNvidiaGrfxVen2","r:DchuNvidiaGrfxVen2":"r:DchuNvidiaGrfxDeletePending","DL_OSVersion":"OSVersion","r:DriverPartnerRing":"r:OSDataDriverPartnerRing","r:EdgeStableOPV_Native":"r:EdgeStablePV_Native","r:EdgeStablePV_WOW6432":"r:EdgeStableOPV_Native","r:EdgeStableVersion":"r:EdgeStablePV_WOW6432","r:EdgeWithChromiumInstallFailureCount":"r:EdgeWithChromiumInstallFailureCountWow","r:EdgeWithChromiumInstallVersion":"r:EdgeWithChromiumInstallVersionWow","u:EnableWUfBUpgradeGates":"r:EnableWUfBUpgradeGatesRS5","r:ESETInstalledKey":"r:ESETInstalledWowKey","r:ESTSecurityInstalledKey":"r:ESTSecurityInstalledWowKey","f:FlightingBranchName":"c:FlightingBranchName","a:Free":"a:Free_RS3","a:Free_RS3":"a:Free_RS4","a:Free_RS4":"a:Free_RS5","r:FSecureInstalledKey":"r:FSecureInstalledWowKey","a:GatedFeature_NI22H2":"r:Migrated_GatedFeature_NI22H2Setup","a:GStatus_CO21H2":"r:GStatus_CO21H2RegFb","HoloLens":"r:WindowsMixedReality","r:IsEdgeWithChromiumInstalled":"r:IsEdgeWithChromiumInstalledWow","a:ISVM":"a:ISVM_RS3","a:ISVM_RS3":"a:ISVM_RS4","a:ISVM_RS4":"a:ISVM_RS5","r:K7InstalledKey":"r:K7InstalledWowKey","r:KasperskyInstalledKey":"r:KasperskyInstalledWowKey","r:KingsoftInstalledKey":"r:KingsoftInstalledWowKey","r:LenovoInstalledKey":"r:LenovoInstalledWowKey","r:MalwarebytesInstalledKey":"r:MalwarebytesInstalledWowKey","r:McAfeeInstalledKey":"r:McAfeeInstalledWowKey","r:Migrated_GatedFeature_NI22H2Setup":"r:Migrated_GatedFeature_NI22H2","c:OEMModelBaseBoard":"r:OEMModelBaseBoard","r:PandaInstalledKey":"r:PandaInstalledWowKey","r:PandaInstalledWowKey":"v:PandaInstalledVer","r:PonchAllow":"r:PonchAllowKey","r:PonchAllowKey":"r:PonchAllowWow","r:PonchAllowWow":"r:PonchAllowWowKey","r:QUDeadline":"r:QUDeadlineMDM","r:QuickhealInstalledKey1":"r:QuickhealInstalledKey2","r:SophosInstalledKey1":"r:SophosInstalledKey2","r:SymantecInstalledKey":"r:SymantecInstalledWowKey","v:SymantecVer":"v:SymantecVer64","u:TargetReleaseVersion":"r:TargetReleaseVersionGP","r:TargetReleaseVersionGP":"r:TargetReleaseVersionMDM","r:TencentInstalledKey":"r:TencentInstalledWowKey","r:ThreatTrackInstalledKey":"r:ThreatTrackInstalledWowKey","a:TimestampEpochString_CO21H2":"r:TimestampEpochString_CO21H2RegFb","v:TobiiVer":"v:TobiiVerx86","v:TobiiVerx86":"v:TobiiVer1x86","r:TrendInstalledKey":"r:TrendInstalledWowKey","r:TrendInstalledWowKey":"v:TrendInstalledVer","a:UpgEx_CO21H2":"r:UpgEx_CO21H2RegFb","r:UpgradeAccepted":"r:Win11UpgradeAcceptedWUSeeker","r:WebExperience":"r:WebExperienceWow","r:WebrootInstalledKey":"r:WebrootInstalledWowKey"},"Transform":{"AccountFirstChar":{"SubLength":1},"CX_FlightIds":{"Regex":"CX:[^,]*","RegexDelimiter":","},"FlightingOptOutState":{"Ignore":["0"]},"FX_FlightIds":{"Regex":"FX:[^,]*","RegexDelimiter":","},"IppPrinterBadDefaultPdc":{"Contains":"V4_No_ChangeID_Present"},"aipc":{"Ignore":["0"]},"IsDomainJoined":{"Ignore":["0"]},"IsHybridOrXGpu":{"Ignore":["0"]},"IsMsftOwned":{"Ignore":["0"]},"IsPortableOperatingSystem":{"Ignore":["0"]},"IsRemoteDesktopSessionHost":{"Contains":"ServerRdsh"},"IsTestLab":{"Ignore":["0"]},"IsVM":{"Ignore":["0"]},"IX_FlightIds":{"Regex":"IX:[^,]*","RegexDelimiter":","},"MX_FlightIds":{"Regex":"ME:[^,]*|MD:[^,]*","RegexDelimiter":","},"OEMModel":{"SubLength":100},"OEMName_Uncleaned":{"SubLength":100},"PausedFeatureStatus":{"Ignore":["0"]},"PausedQualityStatus":{"Ignore":["0"]},"PSAKyoceraInstalledName":{"Contains":"A97ECD55.KYOCERAPrintCenter"},"PSATATriumphInstalledName":{"Contains":"TATriumph-AdlerGmbH.TAUTAXPrintCenter"},"SMode":{"Ignore":["0"]},"StayOnWindows10Timestamp":{"SubLength":-3,"Ignore":[""]},"XeroxPsaInstalledName":{"Contains":"XeroxCorp.PrintExperience"}},"Registry":{"AADBrokerPluginNotRegistered":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsMitigationData\\AADBrokerPluginNotRegistered","IfExists":true},"AADTenantId":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\CCM","ValueName":"AadTenantId"},"ActiveHoursEnd":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"ActiveHoursEnd","RegValueType":"REG_DWORD"},"ActiveHoursStart":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"ActiveHoursStart","RegValueType":"REG_DWORD"},"AdminOptedIntoRebootlessUpdates_Server":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\Hotpatch\\Environment","ValueName":"AllowRebootlessUpdates","RegValueType":"REG_DWORD"},"AhnlabInstalledKey":{"FullPath":"SOFTWARE\\Ahnlab","IfExists":true},"AhnlabInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Ahnlab","IfExists":true},"AhnLabKeyboard":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\Mkd2kfNt","ValueName":"NbTpMsExist"},"AllowInPlaceUpgrade":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\\\Windows\\\\CurrentVersion","ValueName":"AllowInPlaceUpgrade","RegValueType":"REG_DWORD"},"AllowUpgradesWithUnsupportedTPMOrCPU":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Setup\\MoSetup","ValueName":"AllowUpgradesWithUnsupportedTPMOrCPU","RegValueType":"REG_DWORD"},"AndroidUserOptinValue":{"HKey":"HKEY_CURRENT_USER","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Mobility\\","ValueName":"OptedIn","RegValueType":"REG_DWORD"},"AppChannels":{"FullPath":"SOFTWARE\\Policies\\Microsoft\\WindowsStore\\Apps\\*","ValueName":"ChannelId","EncodingType":"Json"},"AppRMIDs":{"FullPath":"SOFTWARE\\Policies\\Microsoft\\WindowsStore\\Apps\\*","ValueName":"ReleaseManagementId","EncodingType":"Json"},"ARCHotpatchAttached_State":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Azure Connected Machine Agent\\Windows\\Licenses\\Features\\Hotpatch","ValueName":"Subscription","RegValueType":"REG_DWORD"},"AutopilotUpdateInProgress":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Provisioning\\AutopilotSettings\\VolatileAutopilotUpdate","ValueName":"AutopilotUpdateInProgress","RegValueType":"REG_DWORD"},"AvastBlackScreen":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\aswVmm\\Parameters","ValueName":"Win10-1803"},"AvastInstalledKey":{"FullPath":"SOFTWARE\\Avast Software\\Avast","IfExists":true},"AvastInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Avast Software\\Avast","IfExists":true},"AvastReg":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\aswVmm\\Parameters","ValueName":"QualityCompat"},"AvgBlackScreen":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\avgVmm\\Parameters","ValueName":"Win10-1803"},"AVGInstalledKey":{"FullPath":"SOFTWARE\\AVG\\Antivirus","IfExists":true},"AVGInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\AVG\\Antivirus","IfExists":true},"AvgReg":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\avgVmm\\Parameters","ValueName":"QualityCompat"},"AviraInstalledKey":{"FullPath":"SOFTWARE\\X-AVCSD\\Workstation\\Antivirus","IfExists":true},"AviraInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\X-AVCSD\\Workstation\\Antivirus","IfExists":true},"BaseBoardManufacturer":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"HARDWARE\\DESCRIPTION\\System\\BIOS","ValueName":"BaseBoardManufacturer"},"BitDefenderInstalledKey":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{1FCCF41D-5F00-4FE2-9653-162D0486C8B4}","IfExists":true},"BlockEdgeWithChromiumUpdate":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate","ValueName":"DoNotUpdateToEdgeWithChromium","RegValueType":"REG_DWORD"},"BlockFeatureUpdates":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\OSUpgrade","ValueName":"BlockFeatureUpdates","RegValueType":"REG_DWORD"},"BlockWUUpgrades":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows10Upgrader\\Volatile","ValueName":"BlockWUUpgrades","RegValueType":"REG_DWORD"},"BlockWUUpgradesWow":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows10Upgrader\\Volatile","ValueName":"BlockWUUpgrades","RegValueType":"REG_DWORD"},"BroadcomInstalledKey":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Symantec\\Symantec Endpoint Protection","IfExists":true},"BuildFID":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build","ValueName":"EsdFlightData","RegValueType":"REG_SZ"},"BuildFID_WCOS":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"OSDATA\\Software\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build","ValueName":"EsdFlightData","RegValueType":"REG_SZ"},"BuildFID_WCOS2":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"OSDATA\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build","ValueName":"EsdFlightData","RegValueType":"REG_SZ"},"BullguardInstalledKey":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\BullGuard","IfExists":true},"BypassNRO":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE","ValueName":"BypassNRO","RegValueType":"REG_DWORD"},"ChargeCapacityRatio":{"HKey":"HKEY_CURRENT_USER","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\HealthSignals","ValueName":"ChargeCapacityRatio","RegValueType":"REG_DWORD"},"ChinaTypeApproval_CTA":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess","ValueName":"ActivePolicyCode","RegValueType":"REG_SZ"},"CHPE_Disabled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management","ValueName":"HotPatchRestrictions","RegValueType":"REG_DWORD"},"CIOptin":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"IsContinuousInnovationOptedIn","RegValueType":"REG_DWORD"},"ClientHash2":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\SLS","ValueName":"ClientHash2","RegValueType":"REG_DWORD"},"CloudFilesFilter":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Services\\CldFlt\\Instances\\","ValueName":"DefaultInstance","RegValueType":"REG_SZ"},"CurrentBranch":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","ValueName":"BuildBranch","RegValueType":"REG_SZ"},"DataExpDateEpoch_CO21H2RegFb":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TargetVersionUpgradeExperienceIndicators\\CO21H2","ValueName":"DataExpDateEpoch","RegValueType":"REG_SZ"},"DaysSince19H1FUOffer":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\rempl\\irplugin","ValueName":"DaysSinceLastOffer","RegValueType":"REG_QWORD"},"DchuAmdGrfxDeletePending":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\amdkmdag","ValueName":"DriverDelete"},"DchuAmdGrfxExists":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\amdkmdag","IfExists":true},"DchuAmdGrfxVen":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\amdkmdag","ValueName":"DCHUVen"},"DchuAmdGrfxVen2":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\amdkmdag\\Parameters","ValueName":"DCHUVen"},"DchuIntelGrfxDeletePending":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\igfx","ValueName":"DriverDelete"},"DchuIntelGrfxExists":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\igfx","IfExists":true},"DchuIntelGrfxNExists":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Services\\igfxn","IfExists":true},"DchuIntelGrfxVen":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\igfx","ValueName":"DCHUVen"},"DchuIntelGrfxVen2":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\igfx\\Parameters","ValueName":"DCHUVen"},"DchuNvidiaGrfxDeletePending":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\nvlddmkm","ValueName":"DriverDelete"},"DchuNvidiaGrfxExists":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\nvlddmkm","IfExists":true},"DchuNvidiaGrfxVen":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\nvlddmkm","ValueName":"DCHUVen"},"DchuNvidiaGrfxVen2":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\nvlddmkm\\Parameters","ValueName":"DCHUVen"},"DchuNvidiaGrfxVenTest":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Services\\nvlddmkm","ValueName":"DCHUVenTest","RegValueType":"REG_DWORD"},"DefaultUserRegion":{"HKey":"HKEY_USERS","FullPath":".DEFAULT\\Control Panel\\International\\Geo","ValueName":"Nation","RegValueType":"REG_SZ"},"DeviceInfoGatherSuccessful":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing","ValueName":"DeviceInfoGatherSuccessful","RegValueType":"REG_DWORD"},"DisableWUfBOfferBlock":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UpdatePolicy\\Settings","ValueName":"DisableWUfBOfferBlock","RegValueType":"REG_DWORD"},"DisconnectedStandby":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\Power","ValueName":"EnforceDisconnectedStandby","RegValueType":"REG_DWORD"},"DotNetMissingComponentsTroubleshooterSuccess":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\.NETFramework","ValueName":"DotNetMissingComponentsTroubleshooterSuccess","RegValueType":"REG_DWORD"},"DriverPartnerRing":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\DriverFlighting\\Partner","ValueName":"TargetRing","RegValueType":"REG_SZ"},"DSS_Enrolled_DF":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate","ValueName":"WUfBDF","RegValueType":"REG_DWORD"},"DSS_Enrolled_State":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WufbDS","ValueName":"enrollmenttype","RegValueType":"REG_SZ"},"DUInternal":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Setup\\MoSetup","ValueName":"DynamicUpdateInternalTest","RegValueType":"REG_DWORD"},"DurableDeviceRegionGeo":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\DeviceRegion","ValueName":"DeviceRegion","RegValueType":"REG_DWORD"},"EdgeStableOPV_Native":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","ValueName":"opv","RegValueType":"REG_SZ"},"EdgeStablePV_Native":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","ValueName":"pv","RegValueType":"REG_SZ"},"EdgeStablePV_WOW6432":{"FullPath":"SOFTWARE\\Wow6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","ValueName":"pv","RegValueType":"REG_SZ"},"EdgeStableVersion":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Wow6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","ValueName":"opv","RegValueType":"REG_SZ"},"EdgeWithChromiumInstallFailureCount":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate","ValueName":"WindowsUpdateAttempts"},"EdgeWithChromiumInstallFailureCountWow":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Wow6432Node\\Microsoft\\EdgeUpdate","ValueName":"WindowsUpdateAttempts"},"EdgeWithChromiumInstallVersion":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate","ValueName":"WindowsUpdateVersion"},"EdgeWithChromiumInstallVersionWow":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Wow6432Node\\Microsoft\\EdgeUpdate","ValueName":"WindowsUpdateVersion"},"EKB19H2InstallCount":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Setup\\FeatureStaging\\20455539\\2","ValueName":"Count"},"EKB19H2InstallTimeEpoch":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Setup\\FeatureStaging\\20455539\\2","ValueName":"Timestamp"},"EKB19H2UnInstallCount":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Setup\\FeatureStaging\\20455539\\0","ValueName":"Count"},"EKB19H2UnInstallTimeEpoch":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Setup\\FeatureStaging\\20455539\\0","ValueName":"Timestamp"},"EnableCloudManagedIDS":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\IDS","ValueName":"EnableCloudManagedIDS"},"EnableWUfBUpgradeGatesRS5":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows NT\\CurrentVersion\\502505fe-762c-4e80-911e-0c3fa4c63fb0","ValueName":"DataRequireGatedScanForFeatureUpdates","RegValueType":"REG_DWORD"},"ESETInstalledKey":{"FullPath":"SOFTWARE\\ESET\\ESET Security","IfExists":true},"ESETInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\ESET\\ESET Security","IfExists":true},"EsetReg":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Services\\ehdrv\\Parameters","ValueName":"WindowsCompatibilityLevel","RegValueType":"REG_DWORD"},"ESTSecurityInstalledKey":{"FullPath":"SOFTWARE\\ESTsoft","IfExists":true},"ESTSecurityInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\ESTsoft","IfExists":true},"ExpPkgs":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfhost\\Applicability","ValueName":"ExpPkgs","RegValueType":"REG_SZ"},"ExpStates":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfHost\\FIDs","ValueName":"PreviewConfigs","RegValueType":"REG_SZ"},"FeatureUpdateDeadline":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\","ValueName":"ConfigureDeadlineForFeatureUpdates","RegValueType":"REG_DWORD"},"FIDTSRan":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build\\TS_Crash_56093636_Logs","ValueName":"LastHr"},"FlightContent":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfHost\\Applicability","ValueName":"ContentType","RegValueType":"REG_SZ"},"FlightingOptOutState":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfHost\\UI\\Selection","ValueName":"OptOutState","RegValueType":"REG_DWORD"},"FODRetryPending":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing","ValueName":"FODRetry","RegValueType":"REG_DWORD"},"FSecureInstalledKey":{"FullPath":"SOFTWARE\\F-Secure\\OneClient","IfExists":true},"FSecureInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\F-Secure\\OneClient","IfExists":true},"FSRing":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfhost\\Applicability","ValueName":"FSRing","RegValueType":"REG_SZ"},"GamingServicesInstalledKey":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Services\\GamingServices","IfExists":true},"GridZoneName":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\COAWOS","ValueName":"GridZoneName","RegValueType":"REG_SZ","PersistedSourceId":"COAWOSRoot"},"GStatus_CO21H2RegFb":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TargetVersionUpgradeExperienceIndicators\\CO21H2","ValueName":"GStatus","RegValueType":"REG_SZ"},"GStatusBlockIDs_All":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Appraiser\\GWX","ValueName":"SdbEntries","RegValueType":"REG_SZ"},"HidOverGattReg":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemRoot%/System32/drivers/UMDF/Microsoft.Bluetooth.Profiles.HidOverGatt.dll","ValueName":"Source","RegValueType":"REG_SZ"},"HotPatchEKBInstalled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Update\\TargetingInfo\\DynamicInstalled\\Hotpatch.amd64","IfExists":true},"HotpatchError":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\Hotpatch\\Environment","ValueName":"HotpatchError","RegValueType":"REG_DWORD"},"IIS_ASPNET":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Notifications\\OptionalFeatures\\IIS-ASPNET","ValueName":"Selection","RegValueType":"REG_DWORD"},"IIS_NetFxExtensibility":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Notifications\\OptionalFeatures\\IIS-NetFxExtensibility","ValueName":"Selection","RegValueType":"REG_DWORD"},"InstallDate":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","ValueName":"InstallDate","RegValueType":"REG_DWORD"},"IntelPlatformId":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0","ValueName":"Platform Specific Field 1","RegValueType":"REG_DWORD"},"IppPrinterBadDefaultPdc":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\PrinterDriverData","ValueName":"V4_PDC_ChangeID","RegValueType":"REG_SZ","EncodingType":"Json"},"IsAutopilotRegistered":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Provisioning\\AutopilotPolicyCache","ValueName":"ProfileAvailable","RegValueType":"REG_DWORD"},"IsFlightingEnabled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfHost\\Applicability","ValueName":"IsBuildFlightingEnabled","RegValueType":"REG_DWORD"},"IsCHCapableBuild":{"HKey":"HKEY_CLASSES_ROOT","FullPath":"CLSID\\{2C57C51B-FD43-4E74-B077-551AE6228AD6}","IfExists":true},"IsCldFltSyncRoots":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager\\*","IfExists":true},"IsConfigMgrEnabled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsSelfHost\\ClientState","ValueName":"ConfigMgrEnabled","RegValueType":"REG_DWORD"},"IsContainerMgrInstalled":{"FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers\\CmService","IfExists":true},"IsEdgeWithChromiumInstalled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","IfExists":true},"IsEdgeWithChromiumInstalledWow":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Wow6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","IfExists":true},"IsFeedbackHubSelfhost":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\Partners\\IsFeedbackHubSelfhost","IfExists":true},"IsFSOverlay":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\GlobMerger","ValueName":"IsEnabled","RegValueType":"REG_DWORD"},"IsHybridOrXGpu":{"FullPath":"SOFTWARE\\Microsoft\\DirectX","ValueName":"HybridDeviceApplicableForDxDbGpuPreferences"},"IsProcessorMode":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\RegionalSettings","ValueName":"IsProcessorMode","RegValueType":"REG_QWORD"},"IsRemoteDesktopSessionHost":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","ValueName":"EditionID","RegValueType":"REG_SZ"},"IsSpotlightEnabledInOEMTheme":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes","ValueName":"WindowsSpotlight","RegValueType":"REG_DWORD"},"IsSpotlightThemeEnabledByOEM":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\DesktopOptimization","ValueName":"WindowsSpotlightTheme","RegValueType":"REG_DWORD"},"IsVbsEnabled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\ControlSet001\\Control\\DeviceGuard","ValueName":"EnableVirtualizationBasedSecurity","RegValueType":"REG_DWORD"},"IsWDAGEnabled":{"FullPath":"SYSTEM\\ControlSet001\\Services\\hvsics","IfExists":true},"IsWDATPEnabled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\Status","ValueName":"OnboardingState"},"K7InstalledKey":{"FullPath":"SOFTWARE\\K7 Computing","IfExists":true},"K7InstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\K7 Computing","IfExists":true},"KasperskyInstalledKey":{"FullPath":"SOFTWARE\\KasperskyLab","IfExists":true},"KasperskyInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\KasperskyLab","IfExists":true},"KasperskyReg":{"FullPath":"System\\CurrentControlSet\\Services\\klhk\\Parameters","ValueName":"UseVtHardware"},"KingsoftInstalledKey":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Kingsoft Internet Security","IfExists":true},"KingsoftInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Kingsoft Internet Security","IfExists":true},"KioskMode":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\AssignedAccessCsp\\AutoLogonAccount","ValueName":"ConfigSource","RegValueType":"REG_DWORD"},"KnownFoldersBackupStatus":{"HKey":"HKEY_CURRENT_USER","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StorageProviderStatus","ValueName":"OneDrive","RegValueType":"REG_SZ"},"LaunchOobeInEndUserSession":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\OOBE","ValueName":"ContinueOobeInEnduserSession"},"LaunchUserOOBE":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\OOBE","ValueName":"LaunchUserOOBE","RegValueType":"REG_DWORD"},"LCUVer":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","ValueName":"LCUVer"},"LenovoInstalledKey":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{A9861883-31C5-4324-BD9A-DC9527EEB675}_is1","IfExists":true},"LenovoInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{A9861883-31C5-4324-BD9A-DC9527EEB675}_is1","IfExists":true},"MalwarebytesInstalledKey":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1","IfExists":true},"MalwarebytesInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1","IfExists":true},"McAfeeInstalledKey":{"FullPath":"SOFTWARE\\McAfee\\MSC\\AppInfo\\Substitute\\QueryParams","IfExists":true},"McAfeeInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\McAfee\\MSC\\AppInfo\\Substitute\\QueryParams","IfExists":true},"MDE4WSLPluginReleaseRing":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Microsoft Defender for Endpoint plug-in for WSL","ValueName":"ReleaseRing","RegValueType":"REG_SZ"},"MDEWSLPluginReleaseRing":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Lxss\\Plugins\\DefenderPlug-in","ValueName":"ReleaseRing","RegValueType":"REG_SZ"},"Migrated_GatedFeature_NI22H2":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\MigratedMarkers\\TargetVersionUpgradeExperienceIndicators\\NI22H2","ValueName":"GatedFeatureSingleString","RegValueType":"REG_SZ"},"Migrated_GatedFeature_NI22H2Setup":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\MigratedMarkers\\TargetVersionUpgradeExperienceIndicators\\NI22H2Setup","ValueName":"GatedFeatureSingleString","RegValueType":"REG_SZ"},"MSRT_NO_AU":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Policies\\Microsoft\\MRT","ValueName":"DontOfferThroughWUAU","RegValueType":"REG_DWORD"},"MTPTargetingInfo":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Platform\\MTPTargetingInfo","ValueName":"TargetRing"},"NonSecurityUpdate":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate","ValueName":"NonSecurityRelease","RegValueType":"REG_DWORD"},"NPU_DeviceId":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\Class\\{f01a9d53-3ff6-48d2-9f97-c8a7004be10c}\\0000","ValueName":"MatchingDeviceId","RegValueType":"REG_SZ"},"NPUEnabledDevice":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows Media Foundation\\FrameServer\\WindowsCameraEffects","ValueName":"EffectsCameraAvailable","RegValueType":"REG_DWORD"},"OEMMode":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Office\\16.0\\Common\\OEM","ValueName":"OOBEMode","RegValueType":"REG_SZ"},"OEMModelBaseBoard":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"HARDWARE\\DESCRIPTION\\System\\BIOS","ValueName":"BaseBoardProduct","RegValueType":"REG_SZ"},"OemPartnerRing":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\Platform\\DeviceTargetingInfo","ValueName":"TargetRing","RegValueType":"REG_SZ"},"OEMSubModel":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"HARDWARE\\DESCRIPTION\\System\\BIOS","ValueName":"SystemSKU","RegValueType":"REG_SZ"},"OobeNdupAcceptedTarget":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\OOBE\\NDUP\\Updates","ValueName":"Target","RegValueType":"REG_SZ"},"OobeNdupFU22621CommitChoice":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\NDUP\\Updates\\FeatureUpdate_22621","ValueName":"CommitChoice","RegValueType":"REG_DWORD"},"OobeNdupFUTarget":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\NDUP\\Updates\\FeatureUpdate_22631","ValueName":"Target","RegValueType":"REG_SZ"},"OobeSeeker":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Updates","ValueName":"OOBEUpdateStarted"},"OSDataDriverPartnerRing":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"OSData\\SOFTWARE\\Microsoft\\DriverFlighting\\Partner","ValueName":"TargetRing","RegValueType":"REG_SZ"},"OSRollbackBuild":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\OSUpgrade\\Rollback","ValueName":"BuildString","RegValueType":"REG_SZ"},"OSRollbackCount":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\OSUpgrade\\Rollback","ValueName":"Count","RegValueType":"REG_DWORD"},"OSRollbackDate":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\OSUpgrade\\Rollback","ValueName":"DateStamp","RegValueType":"REG_DWORD"},"PandaInstalledKey":{"FullPath":"SOFTWARE\\Panda Software\\Setup","IfExists":true},"PandaInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Panda Software\\Setup","IfExists":true},"PausedFeatureStatus":{"FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UpdatePolicy\\Settings","ValueName":"PausedFeatureStatus"},"PausedQualityStatus":{"FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UpdatePolicy\\Settings","ValueName":"PausedQualityStatus"},"PlayFabPartyRelay":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\PlayFabPartyRelay","IfExists":true},"PonchAllow":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat","ValueName":"cadca5fe-87d3-4b96-b7fb-a231484277cc","RegValueType":"REG_DWORD"},"PonchAllowKey":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc","IfExists":true},"PonchAllowWow":{"FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\QualityCompat","ValueName":"cadca5fe-87d3-4b96-b7fb-a231484277cc"},"PonchAllowWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc","IfExists":true},"PonchBlock":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat","ValueName":"65d75b03-6f4d-46e9-b870-517731e06cf9","RegValueType":"REG_DWORD"},"PreviewBuildsManagerEnabled":{"FullPath":"SOFTWARE\\Microsoft\\WindowsSelfhost\\Manager","ValueName":"ArePreviewBuildsAllowed"},"ProductType":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\ProductOptions","ValueName":"ProductType"},"PSAKyoceraMissingDEH":{"HKey":"HKEY_CLASSES_ROOT","FullPath":"Extensions\\ContractId\\Windows.PrintSupportExtension\\PackageId\\A97ECD55.KYOCERAPrintCenter_4.1.11108.0_x64__kqmhh0ktdt7dg","IfExists":true},"PSATATriumphMissingDEH":{"HKey":"HKEY_CLASSES_ROOT","FullPath":"Extensions\\ContractId\\Windows.PrintSupportExtension\\PackageId\\TATriumph-AdlerGmbH.TAUTAXPrintCenter_4.1.11108.0_x64__h5e8vsnevp54y","IfExists":true},"PSAXeroxMissingDEH":{"HKey":"HKEY_CLASSES_ROOT","FullPath":"Extensions\\ContractId\\Windows.PrintSupportExtension\\PackageId\\XeroxCorp.PrintExperience_8.29.32.0_x64__f7egpvdyrs2a8","IfExists":true},"QihooInstalledKey":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\360TotalSecurity","IfExists":true},"QUDeadline":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate","ValueName":"ConfigureDeadlineForQualityUpdates","RegValueType":"REG_DWORD"},"QUDeadlineMDM":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Update","ValueName":"ConfigureDeadlineForQualityUpdates","RegValueType":"REG_DWORD"},"QuickhealInstalledKey1":{"FullPath":"SYSTEM\\CurrentControlSet\\Servicescatflt","IfExists":true},"QuickhealInstalledKey2":{"FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\scanner.exe","IfExists":true},"RecoveredFromBuild":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\WindowsSelfHost\\Applicability\\RecoveredFrom","ValueName":"LastBuild","RegValueType":"REG_DWORD"},"RecoveredOnDate":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\WindowsSelfHost\\Applicability\\RecoveredFrom","ValueName":"DateStamp","RegValueType":"REG_DWORD"},"ReleaseType":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Update\\TargetingInfo","ValueName":"ReleaseType","RegValueType":"REG_SZ"},"RobloxPlayer":{"HKey":"HKEY_CLASSES_ROOT","FullPath":"roblox-player","RegValueType":"REG_SZ","IfExists":true},"RobloxStudio":{"HKey":"HKEY_CLASSES_ROOT","FullPath":"roblox-studio","RegValueType":"REG_SZ","IfExists":true},"SetupDisplayedEulaVersion":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\OOBE\\","ValueName":"SetupDisplayedEulaVersion","RegValueType":"REG_DWORD"},"SH_SIPolicyCleanup":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\PPI\\Settings","ValueName":"SIPolicyCleanup","RegValueType":"REG_DWORD"},"SmartActiveHoursState":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"SmartActiveHoursState","RegValueType":"REG_DWORD"},"SophosInstalledKey1":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\SAVService","IfExists":true},"SophosInstalledKey2":{"FullPath":"SYSTEM\\CurrentControlSet\\Services\\hmpalertsvc","IfExists":true},"StayOnWindows10Timestamp":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"SvOfferDeclined","RegValueType":"REG_QWORD"},"Steam":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Classes\\Steam","ValueName":"","RegValueType":"REG_SZ"},"StrictHiveSecurityReg":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*","ValueName":"StrictHiveSecuritySet"},"SymantecInstalledKey":{"FullPath":"SOFTWARE\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}","IfExists":true},"SymantecInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}","IfExists":true},"SystemGuard_Enabled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\SystemGuard","ValueName":"Enabled","RegValueType":"REG_DWORD"},"SystemManufacturer":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\SystemInformation","ValueName":"SystemManufacturer","RegValueType":"REG_SZ"},"SystemProductName":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\SystemInformation","ValueName":"SystemProductName","RegValueType":"REG_SZ"},"TargetReleaseVersionGP":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate","ValueName":"TargetReleaseVersionInfo","RegValueType":"REG_SZ"},"TargetReleaseVersionMDM":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Update","ValueName":"TargetReleaseVersion","RegValueType":"REG_SZ"},"TenantId":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SYSTEM\\CurrentControlSet\\Control\\CloudDomainJoin\\JoinInfo\\*","ValueName":"TenantId"},"TencentInstalledKey":{"FullPath":"SOFTWARE\\Tencent\\QQPCMgr","IfExists":true},"TencentInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\Tencent\\QQPCMgr","IfExists":true},"TencentReg":{"FullPath":"SYSTEM\\CurrentControlSet\\services\\TesSafe","ValueName":"LoadStartTime"},"TencentType":{"FullPath":"SYSTEM\\CurrentControlSet\\services\\TesSafe","ValueName":"Type"},"TestAllowedIDFlags":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\TestHooks","ValueName":"TestAllowedIDFlags","RegValueType":"REG_DWORD"},"TestRN":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Wosc\\Client\\Persistent\\ClientState\\FCON","ValueName":"TestRing"},"ThreatTrackInstalledKey":{"FullPath":"SOFTWARE\\SBAMSvc","IfExists":true},"ThreatTrackInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\SBAMSvc","IfExists":true},"TimestampEpochString_CO21H2RegFb":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TargetVersionUpgradeExperienceIndicators\\CO21H2","ValueName":"TimestampEpochString","RegValueType":"REG_SZ"},"TrendInstalledKey":{"FullPath":"SOFTWARE\\TrendMicro","IfExists":true},"TrendInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\TrendMicro","IfExists":true},"UHSEnrolled":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","ValueName":"UHSEnrolled","RegValueType":"REG_SZ","IfExists":true},"UninstallActive":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"System\\Setup","ValueName":"UninstallActive","RegValueType":"REG_DWORD"},"UpdateOfferedDays":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WaaSAssessment\\Cache\\","ValueName":"UpToDateDays","RegValueType":"REG_DWORD"},"UpdatePreference":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate","ValueName":"UpdatePreference","RegValueType":"REG_DWORD"},"UpgEx_CO21H2RegFb":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TargetVersionUpgradeExperienceIndicators\\CO21H2","ValueName":"UpgEx","RegValueType":"REG_SZ"},"UpgradeAccepted":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Updates\\","ValueName":"UpgradeAccepted","RegValueType":"REG_DWORD","IfExists":true},"UpgradeEligible":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion","ValueName":"UpgradeEligible","RegValueType":"REG_DWORD"},"UserInPlaceUpgrade":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\\\Windows\\\\CurrentVersion","ValueName":"UserInPlaceUpgrade","RegValueType":"REG_DWORD"},"UsoScanMitigation":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Orchestrator\\Mitigation\\","ValueName":"UsoScanNotStartingMitigationCompleted","RegValueType":"REG_DWORD","IfExists":true},"UtcDataHandlingPolicies":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack","ValueName":"UtcDataHandlingPolicies","RegValueType":"REG_QWORD"},"UUSVersion":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Orchestrator","ValueName":"LastRunVersion","RegValueType":"REG_SZ"},"WAS_NetFxEnvironment":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Notifications\\OptionalFeatures\\WAS-NetFxEnvironment","ValueName":"Selection","RegValueType":"REG_DWORD"},"WCFHTTPActivationNotificationState":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Component Based Servicing\\\\Notifications\\\\OptionalFeatures\\\\WCF-HTTP-Activation","ValueName":"Selection","RegValueType":"REG_DWORD"},"WCFNonHTTPActivationNotificationState":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Component Based Servicing\\\\Notifications\\\\OptionalFeatures\\\\WCF-NonHTTP-Activation","ValueName":"Selection","RegValueType":"REG_DWORD"},"WebExperience":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","IfExists":true},"WebExperienceWow":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}","IfExists":true},"WebrootInstalledKey":{"FullPath":"SOFTWARE\\WRData","IfExists":true},"WebrootInstalledWowKey":{"FullPath":"SOFTWARE\\WOW6432Node\\WRData","IfExists":true},"Win10ConsumerESUStatus":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\\ESU","ValueName":"Win10ConsumerESUStatus","RegValueType":"REG_DWORD"},"Win11UpgradeAcceptedTimestamp":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"SvOfferAccepted","RegValueType":"REG_QWORD"},"Win11UpgradeAcceptedWUSeeker":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings","ValueName":"SvOfferAccepted","RegValueType":"REG_QWORD","IfExists":true},"WindowsAccountSyncConsentApplicable":{"HKey":"HKEY_CURRENT_USER","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\UnifiedConsent\\DEFAULTACCOUNT\\WINDOWSACCOUNTSYNCCONSENT","ValueName":"isApplicable","RegValueType":"REG_DWORD"},"WindowsAccountSyncConsentPromptAllowed":{"HKey":"HKEY_CURRENT_USER","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\UnifiedConsent\\DEFAULTACCOUNT\\WINDOWSACCOUNTSYNCCONSENT","ValueName":"isSystemInitiatedPromptAllowed","RegValueType":"REG_DWORD"},"WindowsAccountSyncConsentState":{"HKey":"HKEY_CURRENT_USER","FullPath":"Software\\Microsoft\\Windows\\CurrentVersion\\UnifiedConsent\\DEFAULTACCOUNT\\WINDOWSACCOUNTSYNCCONSENT\\DATASHARING","ValueName":"isConsentAccepted","RegValueType":"REG_DWORD"},"WindowsMixedReality":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\HoloLensSensors","ValueName":"WdfMajorVersion","RegValueType":"REG_DWORD"},"WOSCEndpointsSupported":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Wosc\\Client\\Persistent","ValueName":"EndpointsSupported","RegValueType":"REG_SZ"},"WSX_Runtime":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSX\\WSXPacks\\CTAC","ValueName":"ExperienceExtensions","RegValueType":"REG_SZ"},"WSX_Windows_AccountControl":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSX\\WSXPacks\\CTAC","ValueName":"Windows.AccountControl","RegValueType":"REG_SZ"},"WSX_Windows_AppSample":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSX\\WSXPacks\\CTAC","ValueName":"Windows.AppSample","RegValueType":"REG_SZ"},"WSX_Windows_Settings_Account":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSX\\WSXPacks\\CTAC","ValueName":"Windows.Settings.Account","RegValueType":"REG_SZ"},"WSX_Windows_Shell_Start":{"HKey":"HKEY_LOCAL_MACHINE","FullPath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSX\\WSXPacks\\CTAC","ValueName":"Windows.Shell.StartMenu","RegValueType":"REG_SZ"}},"UpdatePolicy":{"AdminOptedIntoRebootlessUpdates":{"PolicyEnum":59,"Enterprise":true},"AllowOptionalContent":{"PolicyEnum":58,"Enterprise":true},"BranchReadinessLevel":{"PolicyEnum":5,"Enterprise":true},"BranchReadinessLevelSource":{"PolicyEnum":5,"Enterprise":true,"UseSource":true},"DeferFeatureUpdatePeriodInDays":{"PolicyEnum":9,"Enterprise":true},"DeferQualityUpdatePeriodInDays":{"PolicyEnum":7,"Enterprise":true},"DisableDualScan":{"PolicyEnum":42,"Enterprise":true},"EnableWUfBUpgradeGates":{"PolicyEnum":51,"Enterprise":true},"TargetProductVersion":{"PolicyEnum":53,"Enterprise":true},"TargetReleaseVersion":{"PolicyEnum":50,"Enterprise":true},"UpdateServiceUrl":{"PolicyEnum":12},"WUfBClientManaged":{"PolicyEnum":32,"Enterprise":true}},"FileInfo":{"AvastVer":{"Path":"\\system32\\Drivers\\aswVmm.sys","FolderGuid":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}"},"AvgVer":{"Path":"\\system32\\Drivers\\avgVmm.sys","FolderGuid":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}"},"BullguardInstalledVer":{"Path":"\\BullGuard Ltd\\BullGuard\\BullGuard.exe","IfExists":true,"FolderGuid":"{905E63B6-C1BF-494E-B29C-65B732D3D21A}"},"CortanaAppVer":{"Path":"\\WindowsApps\\Microsoft.549981C3F5F10_8wekyb3d8bbwe\\CortanaApp.View.exe","FolderGuid":"{905E63B6-C1BF-494E-B29C-65B732D3D21A}"},"CortanaAppVerTest":{"Path":"\\WindowsApps\\3242f7d9-db60-4380-a379-4205ea768bfc_1.0.0.0_x64__zs4v8rx04ex0m\\UndockingTestApp.exe","FolderGuid":"{905E63B6-C1BF-494E-B29C-65B732D3D21A}"},"CrowdStrikeInstalledVer":{"Path":"drivers\\CrowdStrike\\CSAgent.sys","IfExists":true,"FolderGuid":"{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"},"DmdHpControlPackageEnUs":{"Path":"%PROGRAMDATA%\\Microsoft\\Windows\\DeviceMetadataCache\\dmrccache\\en-US\\d3a162c7-a388-4099-b63d-265639514cc0\\PackageInfo.xml","IfExists":true},"DmdHpControlPackageMultiloc":{"Path":"%PROGRAMDATA%\\Microsoft\\Windows\\DeviceMetadataCache\\dmrccache\\multiloc\\d3a162c7-a388-4099-b63d-265639514cc0\\PackageInfo.xml","IfExists":true},"DmdHpControlPackageTr":{"Path":"%PROGRAMDATA%\\Microsoft\\Windows\\DeviceMetadataCache\\dmrccache\\tr\\d3a162c7-a388-4099-b63d-265639514cc0\\PackageInfo.xml","IfExists":true},"EsetVer":{"Path":"\\drivers\\ehdrv.sys","FolderGuid":"{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"},"FileExistsMscoreeDll":{"Path":"%windir%\\\\system32\\\\mscoree.dll","IfExists":true},"GDataInstalledVer":{"Path":"\\drivers\\MiniIcpt.sys","IfExists":true,"FolderGuid":"{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"},"HidparseDriversVer":{"Path":"%windir%\\system32\\drivers\\hidparse.sys"},"HidparseSystem32Ver":{"Path":"%windir%\\system32"},"HidparseSystem32Ver1":{"Path":"%windir%\\system32\\hidparse.sys"},"IsNotepadExePresent":{"Path":"%windir%\\system32\\notepad.exe","IfExists":true},"K7InstalledVer":{"Path":"\\K7 Computing","IfExists":true,"FolderGuid":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}"},"KasperskyVer":{"Path":"\\system32\\Drivers\\klhk.sys","FolderGuid":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}"},"OnnxruntimeVer":{"Path":"%windir%\\\\system32\\\\onnxruntime.dll"},"PandaInstalledVer":{"Path":"\\Panda Security","IfExists":true,"FolderGuid":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}"},"SkypeRoomSystem":{"Path":"%systemdrive%\\Recovery\\OEM\\$oem$\\$1\\Rigel\\x64\\Scripts\\Provisioning\\AutoUnattend.xml","IfExists":true},"SymantecVer":{"Path":"\\Symantec\\Shared\\EENGINE\\eeCtrl.sys","FolderGuid":"{DE974D24-D9C6-4D3E-BF91-F4455120B917}"},"SymantecVer64":{"Path":"\\Symantec\\Shared\\EENGINE\\eeCtrl64.sys","FolderGuid":"{DE974D24-D9C6-4D3E-BF91-F4455120B917}"},"TobiiVer":{"Path":"\\Tobii\\Tobii EyeX Interaction\\Tobii.EyeX.Interaction.exe","FolderGuid":"{905E63B6-C1BF-494E-B29C-65B732D3D21A}"},"TobiiVer1x86":{"Path":"\\Tobii\\tobii EyeX Interaction\\Tobii.EyeX.Interaction.exe","FolderGuid":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}"},"TobiiVerx86":{"Path":"\\tobii EyeX Interaction\\Tobii.EyeX.Interaction.exe","FolderGuid":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}"},"TrendInstalledVer":{"Path":"\\Trend Micro\\Titanium\\plugin\\plugVizor.dll","IfExists":true,"FolderGuid":"{905E63B6-C1BF-494E-B29C-65B732D3D21A}"},"TrendMicroVer":{"Path":"\\drivers\\TMUMH.sys","FolderGuid":"{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"},"UCPDVer":{"Path":"\\drivers\\UCPD.sys","FolderGuid":"{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"},"WASDK_1_2_ARM":{"Path":"%programfiles%\\WindowsApps\\Microsoft.WindowsAppRuntime.1.6_6000.311.13.0_arm__8wekyb3d8bbwe\\WindowsAppRuntime.DeploymentExtensions.OneCore.dll","IfExists":true},"WASDK_1_2_ARM64":{"Path":"%programfiles%\\WindowsApps\\Microsoft.WindowsAppRuntime.1.6_6000.311.13.0_arm64__8wekyb3d8bbwe\\WindowsAppRuntime.DeploymentExtensions.OneCore.dll","IfExists":true},"WASDK_1_2_DLL":{"Path":"%programfiles%\\WindowsApps\\Microsoft.WindowsAppRuntime.1.6_6000.311.13.0_x64__8wekyb3d8bbwe\\WindowsAppRuntime.DeploymentExtensions.OneCore.dll","IfExists":true},"WASDK_1_2_X86":{"Path":"%programfiles%\\WindowsApps\\Microsoft.WindowsAppRuntime.1.6_6000.311.13.0_x86__8wekyb3d8bbwe\\WindowsAppRuntime.DeploymentExtensions.OneCore.dll","IfExists":true},"WuClientVer":{"Path":"\\system32\\wuaueng.dll","FolderGuid":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}"},"XamlCbsActivationStore":{"Path":"%ProgramData%\\\\Microsoft\\\\Windows\\\\AppRepository\\\\Packages\\\\Microsoft.UI.Xaml.CBS_8.2205.4001.0_x64__8wekyb3d8bbwe\\\\ActivationStore.dat","IfExists":true},"XamlCbsActivationStoreArm64":{"Path":"%ProgramData%\\\\Microsoft\\\\Windows\\\\AppRepository\\\\Packages\\\\Microsoft.UI.Xaml.CBS_8.2205.4001.0_arm64__8wekyb3d8bbwe\\\\ActivationStore.dat","IfExists":true}},"Licensing":{"UpdateManagementGroup":{"Name":"UpdatePolicy-UpdateManagementGroup"}},"Policy":{"DesiredOcpVersion":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/DesiredUpdates/OcpVersion/"},"DesiredOsVersion":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/DesiredUpdates/OsVersion"},"DesiredSystemManifestVersion":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/DesiredUpdates/SystemManifestVersion"},"DucCustomPackageId":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/Enrollment/CustomPackageId"},"DucDeviceModelId":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/Enrollment/DeviceModelId"},"DucOemPartnerRing":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/Enrollment/OemPartnerRing"},"DucPublisherId":{"LocUri":"./Device/Vendor/MSFT/DeviceUpdateCenter/Enrollment/PublisherId"},"SetPolicyDrivenUpdateSourceForFeatureUpdates":{"LocUri":"./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates"},"WSUSconfigured_csp":{"LocUri":"./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl"}},"AppInfo":{"AIFabricCBSStableVer":{"Name":"Microsoft.WindowsAppRuntime.CBS.1.6"},"WidgetsAppVer":{"Name":"MicrosoftWindows.Client.WebExperience"}},"WMI":{"ElanFingerprintDriverVersion":{"Query":"SELECT DriverVersion, Manufacturer FROM Win32_PnPSignedDriver WHERE Manufacturer = 'ELAN'","Name":"DriverVersion","Timeout":2000},"FirstStorageSpaceDeviceId":{"Query":"SELECT DeviceID FROM Win32_DiskDrive WHERE Model = 'Microsoft Storage Space Device'","Name":"DeviceID","Timeout":2000},"IIS_ASPNET_WMI":{"Query":"SELECT * FROM Win32_OptionalFeature WHERE name = 'IIS-ASPNET'","Name":"InstallState","Timeout":2000},"IIS_NetFxExtensibility_WMI":{"Query":"SELECT * FROM Win32_OptionalFeature WHERE name = 'IIS-NetFxExtensibility'","Name":"InstallState","Timeout":2000},"NetFx3State":{"Query":"SELECT * FROM Win32_OptionalFeature WHERE name = 'NetFX3'","Name":"InstallState","Timeout":2000},"PSAKyoceraInstalledName":{"Query":"SELECT Name, ProgramId FROM Win32_InstalledStoreProgram WHERE ProgramId = 'A97ECD55.KYOCERAPrintCenter_4.1.11108.0_x64__kqmhh0ktdt7dg'","Name":"Name","Timeout":2000},"PSATATriumphInstalledName":{"Query":"SELECT Name, ProgramId FROM Win32_InstalledStoreProgram WHERE ProgramId = 'TATriumph-AdlerGmbH.TAUTAXPrintCenter_4.1.11108.0_x64__h5e8vsnevp54y'","Name":"Name","Timeout":2000},"WAS_NetFxEnvironment_WMI":{"Query":"SELECT * FROM Win32_OptionalFeature WHERE name = 'WAS-NetFxEnvironment'","Name":"InstallState","Timeout":2000},"WCFHTTPActivationState":{"Query":"SELECT * FROM Win32_OptionalFeature WHERE name = 'WCF-HTTP-Activation'","Name":"InstallState","Timeout":2000},"WCFNonHTTPActivationState":{"Query":"SELECT * FROM Win32_OptionalFeature WHERE name = 'WCF-NonHTTP-Activation'","Name":"InstallState","Timeout":2000},"XeroxPsaInstalledName":{"Query":"SELECT Name, ProgramId FROM Win32_InstalledStoreProgram WHERE ProgramId = 'XeroxCorp.PrintExperience_8.29.32.0_x64__f7egpvdyrs2a8'","Name":"Name","Timeout":2000}},"RegionPolicy":{"IsCampaignEdgePromotionEnabled":{"ForceEvaluate":false,"PolicyGUID":"{2BF706DE-6DBB-4692-B7EF-84D80C47E927}"},"IsCampaignSegmentTargetingEnabled":{"ForceEvaluate":false,"PolicyGUID":"{36996754-E327-483A-902F-523E2BA03239}"}}}
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:FlightSettingsServiceUrl
Value:
https://insideruser.microsoft.com/api/FlightSettings
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:HonorUTCRestrictions
Value:
0
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:SyncWNSUri
Value:
0
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:IsBuildUnsupported
Value:
0
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:FlightSettingsVersion
Value:
2
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:UTCApprovedProperties
Value:
deviceType;osUILocale;currentTelemetryLevelInt;defaultDynamicRegistryReads;propertyIgnoreList;testFlags;rs2CapabilitiesPresent;rs3CapabilitiesPresent
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\OneSettings
Operation:writeName:MaxCallsPerDay
Value:
500
Executable files
6
Suspicious files
53
Text files
21
Unknown types
1

Dropped files

PID
Process
Filename
Type
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Workxml
MD5:5FADF13CCFBDCC5DD728380F7A615B28
SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Workxml
MD5:C6086D02F8CE044F5FA07A98303DC7EB
SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scanxml
MD5:11954764DE4745B35A42219A7C5E2DCA
SHA256:997FCF971A38394C30D9E5CA0C6B36E782630E83B52D2664C56F1DEFBA54CB6C
5496MoUsoCoreWorker.exeC:\ProgramData\USOPrivate\UpdateStore\store.db-journalbinary
MD5:007FB11D3F146A0A62AA23AD8E991297
SHA256:449F0BBF164397990E78848D17C9E59DA228997546D9E03CA89339C05B70FDF7
1772svchost.exeC:\Windows\Prefetch\SPPEXTCOMOBJ.EXE-BB03B3D6.pfbinary
MD5:95079532471EB44A93DEE83947F9D34F
SHA256:590A26CF68D6640124CD4DA1C7E68802729E0EC0E613012BEF2C112A0CA61A1C
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Workxml
MD5:4838EE953DAB2C7A1BF57E0C6620A79D
SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
1772svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-D1174AA4.pfbinary
MD5:10B0831886CBACC163F3B2C8E36BA240
SHA256:AC577FD8EFD94D7E70D5AD814220DD5E94114EC7268E26BF4D74847542A853B7
6896dllhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:E313E6FAE3209AADA08F9555EC656479
SHA256:A7C3F81F6A785EDAD90CA02F02D7FBCBBCCC711A00F924D1AA8ED18284CF7F87
1772svchost.exeC:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pfbinary
MD5:AC4498113F2DA9BE5E1795E5331C2970
SHA256:F3269AFD5F826B13E0E2F3FD008F83BCF255C017A2433FF165A2F47464FC1623
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogonxml
MD5:8CBC84881481158749FD559D1D305C46
SHA256:F4902BEF1E82CDAB34A23A43A7F15C0D1C0A0B86E5DD187CACB75E3DF4024153
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
33
DNS requests
21
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5796
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2504
powershell.exe
GET
301
23.186.113.60:80
http://paste.ee/d/37qVlCHY
unknown
shared
2416
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2416
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1600
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5796
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5796
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
paste.ee
  • 23.186.113.60
shared
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
files.catbox.moe
  • 108.181.20.43
malicious
pastebin.com
  • 172.67.25.94
  • 104.22.68.199
  • 104.22.69.199
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
2504
powershell.exe
Potentially Bad Traffic
ET HUNTING Powershell Request for paste .ee Page
2504
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2504
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
2904
powershell.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
089bc72a7f724edd8c6bd6c1d14db1698c93a9087e12315e7a400367ca51a29a.zip